Netsparker Team Talks About Reinventing Their Freemium Model

There's been plenty of discussion among the startup community about the pros and cons of the Freemium business model. Some declare it to be a resounding success, whilst others see it as a dismal failure. And, somewhere between these two extremes lies the notion that it all depends on you.

From our perspective, Freemium has proved to be a trusty servant and a key element in our growth. It helped us to gain early traction when we launched our business two years ago. Since then it has underpinned our brand-building and SEO activities delivering a regular and a valuable stream of willing buyers to our order page as well. To date, the free Netsparker Community Edition has been downloaded over 175,000 times and, on any average month, we see an active user base of almost 15,000.

But despite our unreserved praise for what Freemium has given us, we are about to tear up the score card and start again. Why? Because we observed directly from our experiences that we can do even better.

Warning: This is a long post. It tells the story of how we got here and why we think we can re-work our Freemium formula for even greater success delivering much more value to our free users. Only time will tell whether we're killing the sacred cow. However, succeed or fail, we'll surely post an update and let the stats speak for themselves. If you're curious whether this experiment has a happy ending, then subscribe to our newsletter!

The Story So Far

Back in late 2009, our business was just like every other early-stage startup: an enthusiastic team with a big idea and no customers. Like any new entrant into an established market, Netsparker had a mountain to climb. And, when you're up against competition like IBM and HP, that can be an overwhelming challenge.

With a limited marketing budget and a product that nobody had ever heard of, we knew we needed to do something different to set ourselves apart. Freemium was not a new idea, even then, but it certainly wasn't commonplace in our niche, where the incumbent vendors were firmly rooted in all the old ways of the enterprise sales model.

So we decided to take a risk and see what we could achieve by giving our product away.

From the outset, our main concern was to decide on the restricted elements in the free edition. We were committed to the principle that it should be genuinely useful in its own right; not simply an upsell device. But, aside from the warm feelings we got from fulfilling an obvious need in our community, our commercial instincts were also focused on leveraging that tiny subset of free users with bigger expectations (and budgets).

Don't Give Away the Store

Most Freemium strategies entail restricting features or limiting usage capacity, but we had an additional dimension to experiment with; coverage.

When Netsparker scans a website, it tests for lots of heuristic security checks for vulnerabilities. The user receives a detailed analysis of every detected vulnerability along with the background information about its implications and its remediation. It is this comprehensive detection and resolution capability that makes Netsparker so valuable in addition to the productivity features that make it easy and fun to use.

We recognized that we could safely remove many of the bells and whistles, but we hesitated before crippling the detection algorithms that were central to Netsparker's role. Apart from compromising our "genuinely useful" principle, this would mask some of Netsparker's most impressive capabilities and effectively undersell our value proposition.

After much debate within our team, we reached the conclusion that we had no choice but to ship the free edition firing on all cylinders.

A Necessary Compromise

In addition to disabling a number of non-essential features, we carefully reviewed the coverage list and selected a subset of vulnerabilities that would be masked in the free edition.

This selection process was guided by the desire to strike the right balance between utility and temptation. If Netsparker reports one or more serious vulnerabilities in a typical scan, most users become convinced about its detection capabilities and are also intrigued by the possibility that their website has other (more serious) vulnerabilities that might be detected by the premium editions.

Furthermore we refined this approach by reporting some vulnerabilities conditionally. For instance, we chose to report SQL Injection - probably the most common and dangerous vulnerability - but only on the lower-end database platforms (MySQL and MS-SQL). Our reasoning was that, if you can afford Oracle, you can probably justify the investment in Netsparker Standard Edition.

And so it was that we launched the inaugural version of Netsparker Community Edition in April 2010, with a coverage policy that has remained almost untouched ever since.

Return to Core Principles

As we pondered and debated our plans for the latest version of Netsparker, we wondered whether there was a better way to restrict the free edition.

Despite the obvious need for a Freemium strategy that masks certain vulnerabilities, we never felt completely comfortable with its security implications for users. In the words of one of our skeptical team members, "it's like locking the doors of your house and leaving the windows open".

However, we realized that we had acquired a mass of data since we took our very first shots in the dark and that we could use this to create a better Community Edition; one that delivers more to its users and, at the same time, returns more to its creators.

From our own extensive studies and publicly available data such as Whitehat Website Security Statistics Report, we know that the vast majority of websites has at least one detectable vulnerability and a worrying number (upwards of 30%) have one or more critical security flaws – the kind that could wipe out a business. Thus we set about crunching the numbers, aiming to devise a new and a bolder coverage strategy.

As a result, the latest version of Netsparker Community Edition takes a completely new approach to the coverage that is expected to come as a pleasant surprise for users. It will also, hopefully, bring us some karma points and maybe even some additional sales.

Whereas all previous Community Edition releases offered only a subset of the vulnerability coverage of the paid editions, v2.3 will test and report the complete range of vulnerabilities. Some vulnerabilities will have certain details masked, such as the information that helps users to pinpoint their source and resolve them, but all detected vulnerabilities will be identified.

Long story short, if Netsparker reports no vulnerabilities, then none is detected, not because it masked some of them, as it did previously. This is important to us, because we don't want any of our users to spend money on an upscale edition of Netsparker and discover that it brought them no additional benefits.

Aside from the ethical merits of our new approach, we also expect it to have a significant marketing benefit. Since we know that virtually every website has at least one vulnerability and since Netsparker now reports them all, every Community Edition scan is a potential upsell opportunity.

We are anxious to observe the real impacts of this reasoning in the coming months. We'll post an update as soon as the numbers are conclusive, so be sure to subscribe.